← Home

@oracle/oraclejet-audit

npm

JET AUDIT FRAMEWORK

11
Versions
UPL-1.0
License
No
Install Scripts
Missing
Provenance

Supply chain provenance

Status for the latest visible version.

No SLSA provenance npm registry signatures No source commit

Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.

Maintainers

peppertechmanish2788murselvameghana-vadlapallysmadeghe-orclwlouie-orclejsefah

Keywords

htmlcssjsjsonjetauditlint

Accepted risks

Findings the reviewer chose to accept rather than block on.

SourceRuleReasonAccepted byWhen
source-diff obfuscated-file:meta/18.1.0/jetauditmeta.js AI (source-diff): Large JSON metadata blob for JET audit framework; minified format is expected for this Oracle package. ai
source-diff obfuscated-file:rules/jet/oj-tsx-corequired.js AI (source-diff): Minified rule implementation with Oracle copyright; readable logic, consistent with audit framework build output. ai
source-diff obfuscated-file:rules/jet/oj-html-corequired.js AI (source-diff): Minified rule implementation with Oracle copyright; readable logic, consistent with audit framework build output. ai
source-diff obfuscated-file:rules/jet/oj-cca-compjson-prop-conflict.js AI (source-diff): Minified rule implementation with Oracle copyright; readable logic, consistent with audit framework build output. ai
source-diff obfuscated-file:rulepacks/jetwc/jetwc-use-public-apis.js AI (source-diff): Minified rule implementation with Oracle copyright; readable logic, consistent with audit framework build output. ai
source-diff obfuscated-file:meta/19.0.0/jetauditmeta.js AI (source-diff): Large JSON metadata blob for JET audit framework; minified format is expected for this Oracle package. ai
source-diff obfuscated-file:meta/20.1.0/jetauditmeta.js AI (source-diff): Minified JSON metadata blob for Oracle JET audit framework; not obfuscated malicious code. ai
source-diff obfuscated-file:meta/20.0.0/jetauditmeta.js AI (source-diff): Oracle JET metadata bundle; long lines are minified component registry data, not obfuscated malicious code. Stable pattern for this package. ai
semgrep semgrep:dynamic-require AI (semgrep): Audit/lint framework with plugin/rule loader pattern; dynamic require is expected and stable across versions. ai
phantom-deps phantom-dep:line-column AI (phantom-deps): line-column is declared in package.json dependencies; phantom-dep heuristic false positive for this package. ai
phantom-deps phantom-dep:es-abstract AI (phantom-deps): es-abstract is declared in package.json dependencies; phantom-dep heuristic false positive for this package. ai
phantom-deps phantom-dep:parserlib AI (phantom-deps): parserlib is declared in package.json dependencies; phantom-dep heuristic false positive for this package. ai
phantom-deps phantom-dep:astring AI (phantom-deps): astring is declared in package.json dependencies; phantom-dep heuristic false positive for this package. ai
semgrep semgrep:eval-usage AI (semgrep): eval() in metaLoader.js reads local filesystem meta files; consistent with a build-time audit tool, not supply-chain risk. ai

Versions (showing 11 of 11)

Version Deps Published
20.1.2 25 / 3
20.1.1 25 / 3
20.1.0 25 / 3
20.0.5 25 / 3
20.0.4 25 / 3
20.0.3 25 / 3
19.0.8 25 / 3
19.0.7 25 / 3
19.0.6 25 / 3
18.1.9 25 / 3
18.0.14 25 / 3

v20.1.2

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v20.1.1

3 findings
HIGH New obfuscated file: meta/20.0.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: meta/20.1.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v20.1.0

4 findings
HIGH Publisher changed: meghana-vadlapally → wlouie-orcl (on 2026-05-19) provenance

This version was published by a different npm account than previous versions on 2026-05-19. This could indicate a legitimate maintainer transition or an account compromise.

HIGH New obfuscated file: meta/20.0.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: meta/20.1.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v20.0.5

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v20.0.4

2 findings
HIGH New obfuscated file: meta/20.0.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v20.0.3

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v19.0.8

7 findings
HIGH New obfuscated file: meta/18.1.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: meta/19.0.0/jetauditmeta.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: rulepacks/jetwc/jetwc-use-public-apis.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: rules/jet/oj-cca-compjson-prop-conflict.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: rules/jet/oj-html-corequired.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

HIGH New obfuscated file: rules/jet/oj-tsx-corequired.js source-diff

Newly added source file contains lines over 3000 chars, suggesting minified or obfuscated code. New obfuscated files are a strong attack indicator.

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.0.7

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v19.0.6

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v18.1.9

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v18.0.14

1 finding
LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.